平台
php
修复版本
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Simple CRUD Functionality versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the newtitle and newdescr parameters within the /index.php file. The vulnerability is remotely exploitable and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and redirection to phishing sites. The attacker could potentially steal sensitive user data, such as cookies or authentication tokens, granting them unauthorized access to the application and its resources. The scope of impact depends on the privileges of the affected user and the sensitivity of the data handled by the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept (POC) code is likely to emerge given the public disclosure. The vulnerability was published on 2024-12-05.
Simple CRUD Functionality deployments, particularly those using older versions (1.0–1.0) and those without robust input validation mechanisms, are at risk. Shared hosting environments where multiple users share the same server and application instance are also particularly vulnerable.
• php / web:
grep -r "newtitle/newdescr" /index.php• generic web:
curl -I http://your-target-url/index.php?newtitle=<script>alert(1)</script>• generic web:
curl -I http://your-target-url/index.php?newdescr=<script>alert(1)</script>disclosure
漏洞利用状态
EPSS
0.17% (39% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-12232 is to upgrade to version 1.0.1 of Simple CRUD Functionality. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the newtitle and newdescr parameters within the /index.php file to prevent the injection of malicious scripts. Content Security Policy (CSP) can also be implemented to restrict the sources from which scripts can be executed, limiting the impact of a successful XSS attack. Regularly review and update the application's codebase to address potential security vulnerabilities.
Actualizar o desinstalar Simple CRUD Functionality. Debido a que no hay una versión corregida disponible, la única solución es eliminar el software o aplicar un parche manualmente al archivo /index.php para evitar la vulnerabilidad XSS. Validar y escapar las entradas 'newtitle' y 'newdescr' antes de mostrarlas en la página.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-12232 is a cross-site scripting (XSS) vulnerability in Simple CRUD Functionality versions 1.0–1.0, allowing attackers to inject malicious scripts via the newtitle and newdescr parameters in /index.php.
If you are using Simple CRUD Functionality versions 1.0 through 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the newtitle and newdescr parameters.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the project's official channels (e.g., GitHub repository, project website) for the latest advisory and updates regarding CVE-2024-12232.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。